blustealer | bd7b03186f9bb6ec5ba764de82d56c9d7b29def90837cb903c6fc24e9d7ad937

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2023 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PI-12042023-02.exe
Size

1.5MB
MD5

49dfa3ff454a308c963c3fbcf8c6281d
SHA1

7ce1a8671508cf9449b5a962288d92a8cfca9a7e
SHA256

dd108cf78013ce269848a78918fb30c55b4fb0c93634777640994fda1c79ec11
SHA512

7ca847ff5f94c2d9654cc59f252bb96175515cfc46fca11bd40cfdbda676600ffb9eaedb9ad09632d14273ae251fc566d14b5ac3e2d0d0118ec95fa5c3d84735
SSDEEP

24576:B2N8jiZ4zypIPs1JTDE5PjxDurIr7TX9OAg6/+tkF4PU35yys8NuQsRuj7+oboBv:B2N8jiZ4zypIP4JTDE5Pj0rI/TIbE+tj

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
1636	alg.exe
1832	DiagnosticsHub.StandardCollector.Service.exe
4868	fxssvc.exe
2372	elevation_service.exe
4960	elevation_service.exe
848	maintenanceservice.exe
1580	msdtc.exe
2272	OSE.EXE
1344	PerceptionSimulationService.exe
2664	perfhost.exe
1920	locator.exe
2436	SensorDataService.exe
1064	snmptrap.exe
4112	spectrum.exe
840	ssh-agent.exe
1280	TieringEngineService.exe
4124	AgentService.exe
836	vds.exe
1296	vssvc.exe
2156	wbengine.exe
3724	WmiApSrv.exe
3896	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\msiexec.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\AgentService.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\vssvc.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5967092c9a2815e1.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\wbengine.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\System32\alg.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\locator.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\spectrum.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\System32\vds.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4264 set thread context of 2680	4264	PI-12042023-02.exe	91
PID 2680 set thread context of 5116	2680	PI-12042023-02.exe	98

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{71ADFEE3-430E-4776-83B2-F32638BD7B7F}\chrome_installer.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008475a55cad8ed901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083b5e95dad8ed901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1af845ead8ed901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d72de05dad8ed901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fcfc3860ad8ed901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e53df65fad8ed901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	82	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe
2680	PI-12042023-02.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2680	PI-12042023-02.exe
Token: SeAuditPrivilege	4868	fxssvc.exe
Token: SeRestorePrivilege	1280	TieringEngineService.exe
Token: SeManageVolumePrivilege	1280	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4124	AgentService.exe
Token: SeBackupPrivilege	1296	vssvc.exe
Token: SeRestorePrivilege	1296	vssvc.exe
Token: SeAuditPrivilege	1296	vssvc.exe
Token: SeBackupPrivilege	2156	wbengine.exe
Token: SeRestorePrivilege	2156	wbengine.exe
Token: SeSecurityPrivilege	2156	wbengine.exe
Token: 33	3896	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeDebugPrivilege	2680	PI-12042023-02.exe
Token: SeDebugPrivilege	2680	PI-12042023-02.exe
Token: SeDebugPrivilege	2680	PI-12042023-02.exe
Token: SeDebugPrivilege	2680	PI-12042023-02.exe
Token: SeDebugPrivilege	2680	PI-12042023-02.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2680	PI-12042023-02.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 2680	4264	PI-12042023-02.exe	91
PID 4264 wrote to memory of 2680	4264	PI-12042023-02.exe	91
PID 4264 wrote to memory of 2680	4264	PI-12042023-02.exe	91
PID 4264 wrote to memory of 2680	4264	PI-12042023-02.exe	91
PID 4264 wrote to memory of 2680	4264	PI-12042023-02.exe	91
PID 4264 wrote to memory of 2680	4264	PI-12042023-02.exe	91
PID 4264 wrote to memory of 2680	4264	PI-12042023-02.exe	91
PID 4264 wrote to memory of 2680	4264	PI-12042023-02.exe	91
PID 2680 wrote to memory of 5116	2680	PI-12042023-02.exe	98
PID 2680 wrote to memory of 5116	2680	PI-12042023-02.exe	98
PID 2680 wrote to memory of 5116	2680	PI-12042023-02.exe	98
PID 2680 wrote to memory of 5116	2680	PI-12042023-02.exe	98
PID 2680 wrote to memory of 5116	2680	PI-12042023-02.exe	98
PID 3896 wrote to memory of 3236	3896	SearchIndexer.exe	119
PID 3896 wrote to memory of 3236	3896	SearchIndexer.exe	119
PID 3896 wrote to memory of 4332	3896	SearchIndexer.exe	120
PID 3896 wrote to memory of 4332	3896	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\PI-12042023-02.exe
"C:\Users\Admin\AppData\Local\Temp\PI-12042023-02.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Users\Admin\AppData\Local\Temp\PI-12042023-02.exe
  "C:\Users\Admin\AppData\Local\Temp\PI-12042023-02.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:5116

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1636

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1904

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2372

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4960

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:848

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1580

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2272

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1344

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2664

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2436

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1064

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4112

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1472

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:836

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3724

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3236
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:4332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8e8fd9fe6db54bc0d9fe85ad77de948b

SHA1
231b9013a767b9f4355b7aef6297cffdea8552a8

SHA256
ca7643ff2cb69b7c6544afec193865a1f8abb8b43b65e73e5f25e118fbba8841

SHA512
cbd22c4463f501cfef61a13a4b5eea067a208566478b99fc21a99912ae17cb15625241983bece90c344bdac78f9ca0f2455759b9b7409dadd6e7033198daecec

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
627a7306223209ed354a2012735b26cb

SHA1
30f112ad49cd943b4e386cf330f54d0da2da369d

SHA256
4fd6eb42faa959b1966e4e65b88477c0e3e0ff9f22233b15604dd45e96a4bb19

SHA512
9f2ff055479cea46acd2a6274a5f6c17fd6b885f8b2b441b3a07bf577f501b5cff122a7018f96f177b86c7a88827b473175ffe6f62cdeed582f194b4ca0cec8e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
627a7306223209ed354a2012735b26cb

SHA1
30f112ad49cd943b4e386cf330f54d0da2da369d

SHA256
4fd6eb42faa959b1966e4e65b88477c0e3e0ff9f22233b15604dd45e96a4bb19

SHA512
9f2ff055479cea46acd2a6274a5f6c17fd6b885f8b2b441b3a07bf577f501b5cff122a7018f96f177b86c7a88827b473175ffe6f62cdeed582f194b4ca0cec8e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
0282705f704e178e5c76a1bd7ecc2081

SHA1
97289eb4df3ce76fdc62cc57572d2a50f8a3b6d2

SHA256
fbcf6a98df3cd21cea7e82dc4bb2b481cffbea926fc13f0c38fba602cbccab15

SHA512
9015894052892e409d4a47e0ace2e94fb55d69d3516c7b88d6ce8b43fd298e74c0c6822f063f724abd040558f8e279a938e9c0af76acc49a4ce5f78e1595c50f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
c5ede06bf1077c72fd30afeac1b39687

SHA1
0f4f76088faf52c7b58b424ebeebcb5f32f00b0e

SHA256
dbdb4dacc28129e6b47e87bb7d40c0a2d11e1e038351ff12a5eaa46803169ec7

SHA512
ab8a04492727ed94f8f08b13bb81c7519063eab1a99b43f65c3498bf6f69b756b90593585ecedfe3a866f2e3394371012ae27a089960bbfd5e45fd7f861ee7e5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
8461b33e78d215d784513c7cb5639046

SHA1
71039c2d9b6264a0bdbc33d0f7e889c15b97b64e

SHA256
31f21154b6f467c0e30af20e7999c535ada229733a9af7d28ef5a660be1d082c

SHA512
51f0c311fe06b7d3769c86f4cfec6e0c19cc99380da43b6e5c3bb24d0fdd80c3c10012846de8827ba19e83f64c18686900b220c4403fddb787e0a59264bf3a13

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
7e734fc562a16631910fd1b6c558d9ce

SHA1
1d7aca1f62bda73c3247a43ed54449a9f04b8259

SHA256
5a9549a6bd96f1908b6550625e8cadf4dfecbb1ddc655f0d7900ce65bda8f947

SHA512
9c28c6a95b56201eeecf0604a1588025ba00a1bc6fe79be1b3844305a3a52cfd623089ac1e221372a5f48b990dce3e39b81ac88b437d54060a7837739e1c30b8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
c4a7c4ce56f16f6d43b7299975ddafa6

SHA1
bb595c8f06bc50d201f52c3d204020bf7d483f69

SHA256
a51faf098acd724de99f8f50845111dab05e6b98e3b170a9b3620689d3abf310

SHA512
1a876d9d344ed6d6d88d60a90625a8f05f05e56ba29759ce0fdde8a5c4bf87419c29b8efd7c132d8b8ada2c9e2eb0fbbc34940b10c7ce84500265de1dfdad5f6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1f53e67f067b0dbeaef4165eb53d8a00

SHA1
454e10a1d2996a35d6d329b2bbacd9811aefe550

SHA256
59ef516a1460c1f3e016822f691ac4dec855042787a3f70706b358eb37af98c4

SHA512
525da9daf675861f40d99f0e37dd0d660999dbafa644458097910f791fc58f43e91396a7620316d1171bffcd5cbb1dc259bf9ee634923b1aed2a9c87507950e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
e159c476974f872b95bd42bbcbb67023

SHA1
12fe4c087eeb6ff9654c3b56519752e7af57b2d6

SHA256
b66f57829cbde2f89bf887b39ac85eba02dbf5a9e40655423347f983685e5877

SHA512
76d207a6dd3028e69f1f69439461a4f25cf578819a038babbbbbcbeb07531077ee24fc0d6eb98d5ea328ea6eba6c24e5cc62f0da616dff5fd471000df3e227fa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
db8ccb17b0481b6f29ce64003788f7b3

SHA1
1752fc10513a97009cf8617bf468ebafe0efdb38

SHA256
1bd23016d10d5f7179f25ad075754cad2371b827bde0c85d865d156cde3d7d0c

SHA512
e3ca4f0fd98fcdbeb087de587e1959513a48e9010d169aac7582696b8ee1cb9dba7e03e50a20e8bc476efcb2d07ff40229716897633da47ce9930609df5d7371

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2b8fd75b2abdcc4a604004fbe5958fce

SHA1
b1abb5af7d4b64da972dd8969d71b8b73c752f62

SHA256
3312ea458bad2c13439166e48950ca935ae38d55de6d893681278f3f3d1e0325

SHA512
3f90cec8ac0c0cbe74495f31a9d1a0553a2438545e4a1474d9167c8938350e993c0c08c159dbd8fb9f3628b702341d82c77d339e867e0cc3e82addf2cad9d522

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
38fd07f430b81a77b9f30023dbf1aaab

SHA1
05f0f957ba121626ae31748b823bebef301f261b

SHA256
4c4ec2c8de1f94ea46de35bae82e6d1e833e005420079d75ec899eaa2dfdfdbf

SHA512
fe5d8496efba7668d1802428a30f442a0a8e652c1092f3aa13dc1c909ecba988e1df9121a0cc98a4e1d380ee8e45bb198530e1c747a20d320b0aee3abb425de6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
4e7ffd828c1d53e32ecd67a5838517b1

SHA1
83ef80672616ba3d6efd6996ddeec74c87b092b4

SHA256
3aeeca0d1851fe5cccde70282171ceb62619488fe05428697c59acd8c11dd69c

SHA512
5becae17ca0fb588a36316945ada58ffc660969f537dc4f13b1b52113f1105859bd9d879fd169ce50223b535359d490567c9b57eb5ca7f1cca380655a9696648

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
d93783f7096ab21d307f8d7bd7d95744

SHA1
5c5f22a10c957505108f704718020d1468fc6b5a

SHA256
d72268dac5865f474cb8ae55cd2f1805e8965a09754c6fffafdadfbd02cbbbb7

SHA512
c5b5e8448f621c51a23f41cc1a4fc4c89a1e3b6f92daa8d47601403bf5e46998f1a46141fb902fbe59f24d5a3c64fe9bcd2e62866936162d7973fe65f5429cea

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
ec8deeb283c08cda4de0517b3beb6366

SHA1
4918a92cdaa74c57b7860f80d82f823629e5527f

SHA256
21d2a72cc091977b6efffab91a4f12c9a5c8dfcd8547e6c22f188cd73f90e37d

SHA512
4aae0293adaa14f6f7e95655f2f0abe03a06fe8e29fc6bce617ac2560392a8279d416446373f21e8c49859b1f4d79d5087cd5412f69a51f6fbe27dba5b7a3a1b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
85cfc94062998648d7558c3d444a351c

SHA1
f72274561482d891894eef0c76bf1171166fdd9b

SHA256
b9aedbf55c2b123b902ed8a7bec23f94e591f7209f1e8877ed7424e4061a6e5a

SHA512
8371a065eb900769327088f44d727b61e7b8877026dfc825157f708db533836d1aa116ce160ecce4bcbf89202c4e8b6dd20c7f7dc35bffd2ccc21d5fe5d5152e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
88ae803836050f3198f88e7adc33496d

SHA1
66a9c5e7552e2287f1f6661b76b537eb4464c565

SHA256
8bf4c014ceb83b3f3900af7a4dce7a77c198dcbf6edd72ce7c518b557d837055

SHA512
aca5fef65a98c9fa130557f762a0313d0f8953ad09860be323de3fcaab8fb92554ee4e19472ed2260b4f85f2ad4a815363fd702ead7e19686c67b388e6a0b3cc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
b783ae92f7c5900a0f2a0bbda1b75cc7

SHA1
e5dcec24fc211658c4f264afc8e1e36b3d5a3fe8

SHA256
61e242a1c70c902db72c7737115a8d491b4f293012ac7b5643fe6cdd0164182e

SHA512
7efda895fea6f48ce695bd0933e70b0e7c7257cbcd16d072a63f3a31e7e0f2e7321761d3cb9621b561171f044ffe3a84435cd53c4c5c49017d4e9e00e31f7cfd

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
cdd32eb40c712770f7a82fdb53a620fb

SHA1
98caba1124d9df3938b9396571ee951b0b381665

SHA256
3054ed69e8781b9b903cc8e4cba79a42af2ba989089abf65566211d0bccaf05c

SHA512
4094a85c182a8dbc30aa47ded806418b3e9d767652fc83621331a224c9047041ed1d50553e94a82de9b0e12b79687b4fa2ce102221961d4fa9f282d73b283e4f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
d8fb45873cff8327436644d074939708

SHA1
e5d79b85431a0025ffc2e31c120f883378c44de8

SHA256
6c07f1b8b8110510b8f0ef02522db0bb64535676e46f02ad33bfc5e8e4fde4c7

SHA512
02814f64f9865b9cea06297ca0e11a32ec1e4cb0bcec65cbd8077c07edd2884fa4b3694d67bc42014de624e141dd4b7a4f6a87548c454c0fb7a015c857786c12

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.2MB

MD5
965271ca28e2f75a03653f8f0c98fa89

SHA1
ceb05f51776f4f5d05d20b66b04029741b8cbf67

SHA256
9822c65e40d1a62af7b6a3a2af44bd5ec441c550e2d74513184b863dc3013034

SHA512
58e05642fe6a362f882baf6be9b6103fe1565c89d3ff15d12979657772c75ff464223b15b22be3d6cb46b319d99d5e407b48d74e3ceefec1fb19135d4a1b71ef

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.2MB

MD5
57259a1413c79586d330f8ea5155bf10

SHA1
4297b45ae8d115faaf49871f4bbe400b8571182a

SHA256
f718e6b1b8afd90857d6d6927ac3594fdbc1694831614a219b84a427038e42c0

SHA512
b8caf89b695c1c9b659d4df25f062b1558ce5ece001e3219147340fbf5a7c50ce43f8aa4aaa56819f9b62cbc8cae51068de404caeab9a7491687702a40752754

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.2MB

MD5
1bc339af8947b13cef5d2cfe0b5492e2

SHA1
17cfe1ec6e81b443a07a8d618fc07ad54e914837

SHA256
fe41f88e5914b64021f5b00b5ea4fe98dca8028f5fc940af97366d786314e863

SHA512
d43f4937d28cffdb405ed5721be518df5f79f15a5c173a1438e932c43bc33233fdc73e1ee46af08fb68d6249ad140148071e2890807100daab6238a03825dea8

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.3MB

MD5
c48b84550a94251c10d0f118c48e0bfd

SHA1
69407f3791eba8e73068e131dc9880e145b633bf

SHA256
497962b8f52551ddd72adfc6a28742f6d5d4108c588f17689d088e0427abd8ce

SHA512
2615d735fd4422142cd87abadd859e199104925194fa9052cec99a8b56705bf000ec5cb41b74898e01db60626e39ff179edf44bb43ad53daa8446202a0c2940b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.2MB

MD5
88164057bb3338139abf04e986dde61c

SHA1
e760dffa74a0e11dd1703c19f5c7ced97bd8eb76

SHA256
f8e40789a15783370f0843ec78276c9408aa73f7b32947e66a13d65e2c6d7850

SHA512
d3132e132df2acd4565bb75a84465625eb0580afc8b25ba4455e737eba012c3a90c529f5f8001da0374fe8907bf4014c4fde6e0c11072857b304148aff801bd3

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.2MB

MD5
174f4356d26d18ac4afdc62a16e7d1a7

SHA1
08a6e47834f9c654b4d42f974c9f536af3589bf2

SHA256
42bfe2c39b5d69dff45361a521611e86210d2be4040b34f2e906a069b40b9cf1

SHA512
736e778d2e36adfb699b66f9e85899de0bc2144fe1e9b0fefa89024c521d78f183ba11112aad2cc5a36251d9fc20f4b52a14a33e8dac5dc4886689a0af9e56b9

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.2MB

MD5
a9f16c9ae309e226a644847833e57b06

SHA1
4eea90ee02c7ea6b6abc7761475c818f3b295a47

SHA256
78b7f46e3c6dbdb8d80f8bf52e59a03ac8b1e44d43b9a400f2b1e06b1d33d347

SHA512
6a47ca3a2603f0448bf64adffaefeda86e15b06edab84142a2af4b3b20473f47af14601e982e6b9c2e8d663dfa5445db2d43a6a34c68f78a9771fe2acde49bba

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.4MB

MD5
82b9b5f8bdcaeda7022205bdfa61354d

SHA1
1284f34328d84806446822db9ed2e4dc70b77fb6

SHA256
c7913fa258624e535098e894fd4d5699bfc8b67e6927e80dd601aa4d046bd775

SHA512
d7d35afdba14e18c3fa6593391485b246044d78628a6d004db948761741f1236afb205a01c66b296e76b3f8feb6aa8609ca916670f042513ec47f779da3d5747

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.2MB

MD5
2943c896c5a720fd81d05ea40af34fa6

SHA1
731b87cec89dbd9049ea014022e65a47b1ace779

SHA256
22c0ef73e5af4fd549621b46b95184c7378fcf642539ebaf356c1d63331e041c

SHA512
29a1a43095b7e7641f84fa6503e8ce96e0f63ff26189811d102016909b9c881aba23d24e948e24d7c08a11d28aaa49f96c5483f87aca88f5df4896030f4dc70d

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.2MB

MD5
040fe6677cdf6834fc48f1aa505649fe

SHA1
1e907229e67c028bf497e28bda42dce579cb3e5f

SHA256
6f44e89a900aeb26b83c51d1dc3a0481fd45665351905a577fd277004ab92f53

SHA512
87f670964e0f8115de429df16a21592b7a56b5418407f7529e23a9d327c8805b2d8b00d6580a3c10672b18b5eabe557ebd5055169eaf301874ac7bd83ce169c9

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.3MB

MD5
ffd5bac612be809cebef9ee4be812dc4

SHA1
885a6f0eefa431274c42ecaa928c14bbae2156ea

SHA256
23be11cee10d4404e89e2a0ca86edcbeeb70a1680c9b9bfff3847cf33f7c61fe

SHA512
e8dc35d5014045df726aed414a5e88ed6fbe404c13c11170ea6f1264f59fa25e07c3c55de0bc699e0297ccf4a005f982301cce6162bc2eba0aea17b7fd8ca588

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
1.2MB

MD5
feb07bfdfdac1f0d8ce2c32cb021088e

SHA1
8b1869b2c3fea36d7eeff92326d4b8861ae5d852

SHA256
457ed052e73e3be25917d3cc8ba847515be5018cdd27acbd22b83583438d0dcf

SHA512
64a45f00edb4474a53b660a69a07553960bfea181cbb8f26ebea158b5d96430be7df69c4f85a25655f163e3d95902804f469bb709f169a8275b62908b6cf33d9

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1.2MB

MD5
752aa8876e5162ea09ca7faec1a710d4

SHA1
e42adf9588d60c63fdabd5904952df4448287e40

SHA256
0895cd04d5048308e29d28f4e97422513119fcc158339312c081bdd1ebeb416a

SHA512
c81802df2071c7b94538be77080e12fef74b69486a668c2f99620d44ee3ff051e1e2a4db41dfd3259b7de5bdb420303b932161293390acb7743080f605e63e90

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1.3MB

MD5
18578405284a20b446880f8a5f7eab0f

SHA1
b2b1d7aaa0a93577dc950c548c21706483d4d7bd

SHA256
b185fbc896698055d18390bb44f46e61261cd0d66c0d92eb07499c6897dd7fee

SHA512
a26e9c0a189ab1477dd3734fe29734bb313893172bc706a87ba63631f8bfc0be4a2b2c097ac6f0b3c00750feb725dc576595cb71aa52c0f0d7931ba9bcbfdafc

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
1.4MB

MD5
0af91deecd041f707c3be89c5380b40b

SHA1
c79e0b00d89f3604863be97d69017ad0fd4da083

SHA256
5a129fb780e8edeb242a6edacc9e1cee713f48c896936a919185507c5493eb3e

SHA512
5b5fbc600a283d341b2c95057de44e634d8ce00db1534f42ab4317d21197767314aa2a478bd1fa28ceef3cbe79a0a9361c32ee94af5bb77d4a8a80337eb78aab

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
1.5MB

MD5
f99ab2fd285867af3b74f071da77aa21

SHA1
c95520edd54162055d8ebaf3f5386f974931857a

SHA256
deac34e8cbe2bab70865e19b0a2beb930bbfb7cbdd2a00d2102080921b86d866

SHA512
a0f03cd7adbfd7bb9eed6d23623e763bc484b1af66ac68aaf118146928f1a3040b405842134e8060d027f00a5c19628b7f5171e13ae5c0a222b6035c21fcb5db

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
fbebe4a9d907bdd46107c91677d34b1e

SHA1
83d551f5b62ff397ddba9d48e17416f19fac1ce6

SHA256
5ae8040bc0436b537d553da4f20aadb16f3f6c549c0eec17b4bbd31fa6d38c11

SHA512
3f99a776d332b5e2f017423495e8a31143a4491a26eb88b7c43be46f2e53430f5ef443df2d705e578f4fe8f508223f11305b9c0e9f784cd7adaf1e962f9d85de

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
3fcb69e58d125f6a2d7f9a5f4b9cec75

SHA1
00f7c84482c9ea8a7b65d84672f61f2eb7c98d6f

SHA256
c92e0b3a15d529ab6d56a8c4236af5d366be764ede92864755ebbe4226c58833

SHA512
905b29250157d5e938778226893278f181b3ec50e31be706890cc65af6c7521614a0271f8f59ca518c407666069535d218c75da4c43d94bf9d38912ab846bee1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
76112b7a127c6af49b4116f1e207ede8

SHA1
f9bbdc3fdb37d293f4888b3c13c2217805ada10d

SHA256
dce06f5d075dc41bf2343b00432645dcfb341b4c7e1fab8403fe9e90a631cd74

SHA512
8a90b837a6bda55f72123908b32a44fbd130f1e448b30ec00255c48a41910db4d7232e99b91961d92b1c72e0fb6dc0e372c2dd48f7cfc63aa4b1e2cfac8b5149

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
a38882efe686f441169f83922cbbf1bd

SHA1
ce382b9d03a18054d50547db7d563224764abac0

SHA256
27e92076c03dff45425c77e58806da987a60df0005750e78facc9d077ef1191c

SHA512
4169209e42ac0e878018faf1d07ed704d565f222bf5d9ec09e586a410c6f93350a0404af216ca90fd40bbd109149fc39a350dd71b0f02b59043b8ac1ad3e295d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d67e760032e7720dd73d7614f486a6f6

SHA1
f3ef444416248d45d5ff03827ea878cc5c6cfdfa

SHA256
9e8a9c63535504d5bad79532eae54e30ba23330d3b3ce159e462ee4b30c5c1ed

SHA512
c23f139c93799b1616e0d4dc459e063897917f89b84963c8ca7bdf75ec9bb298dc939c5a88500edc8c25db349509278c871c65d2b43327b91ed7d2619a6162a7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
5c83c9b44d87262049de7ea4ad6b9d34

SHA1
912b716c11e345f7f4cfead9b8a354db3e491a13

SHA256
9e780c8a9eca29abea2ba5f3d711c5f0279a8e0b6fbad8611af8364296262ad8

SHA512
ff08bba2926c1699ff2eb2a2eca1ebe95995aaf8388efa3bcd4efcc7f52e231601acc599a2b71d7d48330e3f2c2d80835e55f890ded055b485c7549c809e3f8b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
a8528911e0a34332ad91951b0f6f3dd0

SHA1
25c09e723182f49a5336e62b6cd879cf3697f6f0

SHA256
dc940f4b96578568442b1a0aa893cb53be476d684223bc942f8296485c9ffcae

SHA512
68bb84faff46cc93b700148c21d62c388185850ed3114aeaaa250cc314976f985595b139b0467a0d63afc18ed5ee6d6fcffbff090ec61dfc69e5c9658c543665

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
a8528911e0a34332ad91951b0f6f3dd0

SHA1
25c09e723182f49a5336e62b6cd879cf3697f6f0

SHA256
dc940f4b96578568442b1a0aa893cb53be476d684223bc942f8296485c9ffcae

SHA512
68bb84faff46cc93b700148c21d62c388185850ed3114aeaaa250cc314976f985595b139b0467a0d63afc18ed5ee6d6fcffbff090ec61dfc69e5c9658c543665

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
355ebcf3b11b43b8c5fcac51e70f62ec

SHA1
02623a1a541a264b29f07308144859f6e8e8bd0c

SHA256
5a77b983e22edb3a1eebe77fe8617e00963b6e1f6e92375f204c3c183220f27d

SHA512
1be22ed9f0fb10ac12342ce0cfceaca1218cb17c53cfe364be33842c754929d7240d0504dff0495e8da9bd19d80551ffb978128f975b9a5b97583612113108df

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2a19fb882d456cbe32e38b0c17cff412

SHA1
fca4c596144277c553293b11943ddbae46679b8f

SHA256
808f5fa87e3378148f8f5984a8fb8029702fca6f72a1cceb83c28e61862fe20a

SHA512
776ca6a2d3d85c87b23856f2091364c70987b05ef8de1b8637d88908c9f7acf3de68fe4da226b3322ec1b73901f13492669ad2cc9422e771d583e537010da8aa

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f94b19e086de4b3c2a85bfcfd479a30c

SHA1
7058dc3f64e2920f9dbb9203146a05765359a90c

SHA256
b11437f96a4b00cb99b931fa30fdd58f488fa7390eb2d29c6ca3e4a6743a2a37

SHA512
5cb429a5f03e2c710bc58312b7e61f8e686fd8919d9dde522f821a500c5790da3fa74f154b632a0818e326d77f294e5683844d552cf2b7206050bb55014c324b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f94b19e086de4b3c2a85bfcfd479a30c

SHA1
7058dc3f64e2920f9dbb9203146a05765359a90c

SHA256
b11437f96a4b00cb99b931fa30fdd58f488fa7390eb2d29c6ca3e4a6743a2a37

SHA512
5cb429a5f03e2c710bc58312b7e61f8e686fd8919d9dde522f821a500c5790da3fa74f154b632a0818e326d77f294e5683844d552cf2b7206050bb55014c324b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
64e0ccd45cd327aec0a01e369488db71

SHA1
84253ca57d74264d5f3ce598c09fd8cf5742fc4a

SHA256
c1276a6cabce9a306fd7d9fa57bd14399e94f442e88f020c398502b76a8e8856

SHA512
c26ca6d87f031d5d409861dbc06c26a9bbcd1a070006f585dfe9d5db8a040099db35eff4d5042cd10d3e57a95401e61a4e6e444c10a9a13355b84a7cec4031d9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
29b8f2312cc35b409d31904c6d3e75f2

SHA1
b4bb6b308e7c7060a73bf3c583e49e3ca040ec2d

SHA256
946d94d0e1e1139dc6085ad4f5bbc686a686a700459e3eaa9e0e6334da903fb9

SHA512
b8e835537778b0d02147c1258043e59ef21f0c3f192cd606ea0d979ff3ef8eda921841e55e4c032c1b1b858c5a9078d06f4a5e38d46d750df33daa69b56aa81c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d1342e7d7ecde70e178addeaea06014c

SHA1
0e3ae3bbaf039260583b6bf1b8f803047c8c740a

SHA256
9da2ef00f877353a9e2a18d8b92a0a09fcf1b7f49f5d6ae967477ea9638c5af5

SHA512
baec5df7b4142674ef5f1079016712b3eee11fcf754787add30abb012fb75992a2bd069f9b1d1c5b822048595af501c8274d746febd14e73a2f5d7e77d8746f8

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
4c40604cc81dada84f6c13b79bbff290

SHA1
dae5cdf923ab23d6e50fd7de5203e94d8eb5f894

SHA256
286f45e64554b8589bf535f09e711fabeb04c40725aa9ab98bff326eba124776

SHA512
3b05472727b5430f09c891c241a6e97f83611a6b2ccf1180a25b95eba945a0d9efc71628528646ff1ab2b188ea80516fcbdb94c2996a8f5cc04977acaab6ab3d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
b39f7c4bb93f806efb3670a0a1ca2096

SHA1
56bd0c3ef42f7f617a44300d9cb7e73bac32a266

SHA256
8c6a452b2f8bcd43aa0bd1ca9a093c97bea8367e1dc7de63af29237f0025da2b

SHA512
72bc8fb3d607844ea8519833bbfdd288396cd75cd691fcce72192ad3283972b2d3d2b4938de6891671fb4bf4efdf8f961ec2c34eb3228e04212743ee4e7e23c9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
c9525589ac64761b295d98f5c8ec220d

SHA1
3082b20a1efe5fe6d532e4c6cb426d38ed00b5ad

SHA256
4643ec4c7e902da658ebfded32e480069286900f55eb5195f186158ac886c927

SHA512
1eac66389d6f67bc40835605e3df90ed1384f3c5a605999ac64997328a4b79488eac5dc54817871e19ce1f3cf81e8e86793a7fffab8e570b883553d81f7a7e35

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7c5b9d6441ac78bfda09a2a8dc835344

SHA1
e9bb8b5efd50fc502bc6d235ba7e89bdacc6b901

SHA256
d9c85910f78caf9ebd9bbf5a15f68f1120b9b7ca2349ae668086ec0e16b15a37

SHA512
c450ec955194497a14c86b5676019aea34ea707368c37fd77540aa99ec5a4807e40a861fdf09edec4636b571fe14bb65cf5900bddd23273a796a5b6be8cd2dc2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
a81fa7bd66ccc27250c24b096726bb28

SHA1
85d2403e7a910bb04e372302c2248f9467d14e49

SHA256
ff9fc6ea78332263b4e330e763f1635a72b3262a55937c9f57fee3e595d7689e

SHA512
7ca55905758675144d6d9532b12ab8dde16d80d4aee1d16d8a785c60e8284e7f88c48fb620d0175cbf1eb17c1843a4e122176bcf4a3b3906a84c3051d65af943

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bed9edd175a21b747a8ec5f286261147

SHA1
daada438b196242d43b978717179d39080e3d871

SHA256
80c0675de8f23d3c7df6d9c2f422332378637ddc09287939fe1cae4d4e049ad3

SHA512
0474410fe7d7c4641cde1252074c4e0f6b825c17329083fd6e0faa8677c44e4f91811edb03a2ce95f0a1cf25d9e0a7150422a0a0e699363e4a6c1e71e7623bee

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
76112b7a127c6af49b4116f1e207ede8

SHA1
f9bbdc3fdb37d293f4888b3c13c2217805ada10d

SHA256
dce06f5d075dc41bf2343b00432645dcfb341b4c7e1fab8403fe9e90a631cd74

SHA512
8a90b837a6bda55f72123908b32a44fbd130f1e448b30ec00255c48a41910db4d7232e99b91961d92b1c72e0fb6dc0e372c2dd48f7cfc63aa4b1e2cfac8b5149

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e60c5e3818a23a23ef916453775b0a39

SHA1
ed29988868b563f36d243d6a372cba225bfbc358

SHA256
785d043fbed4477b033b4a4c85b7db50d0a81211ca9d56a17bf25290a7abd1e6

SHA512
ab935cdf96f3623a0e32607ea6c2355c425922bb62b19c0ff96945be9a4446ac4e92123207647bee2a679ef92482e3b99150ba6f27c63781208c5a4e413db72f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
c0be4102bd1fc2e20b0c5ae44f77ba0f

SHA1
b6340adc7f9af8324274271302e5a1af5e6ff6bf

SHA256
e25af75fb931407df29e126846397ffd2e8a0e3acac2721ff01e3d904f701fd7

SHA512
6d61b02473b26c5d121bf05fe48b8b0b7f8bc661b63ec86c0a41c9f412b132cf925cf8bd9aa8f672f2ede1ea29fa084a979c0229578f4f092a95d295ed4953ab

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
d67e760032e7720dd73d7614f486a6f6

SHA1
f3ef444416248d45d5ff03827ea878cc5c6cfdfa

SHA256
9e8a9c63535504d5bad79532eae54e30ba23330d3b3ce159e462ee4b30c5c1ed

SHA512
c23f139c93799b1616e0d4dc459e063897917f89b84963c8ca7bdf75ec9bb298dc939c5a88500edc8c25db349509278c871c65d2b43327b91ed7d2619a6162a7

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
4a81b07ff2cae815709b44ceb676e30b

SHA1
d81781cf5cbda49a0b9f694c51cdd2281e9fa075

SHA256
6cfd0d8445d2c3e16eb6e44f3a7a3068750c6a8795603d4a4f3328c3709dc977

SHA512
5fd305f3171b4d95d4dff73b45b273b7da4fd77f769460a519784d05fa4d61d6b393e9936d83a31c6f185d8f96b70a493dcc47ae036f147468f83e14f696f58e

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
4719b6e58379367e25fd7480f1bb5216

SHA1
96b4210b9fe3c64816ff621636b6f6fbb1724b38

SHA256
ee603075b48bda8757a94cc091b3088a15d967dcb57d5cdf93a7d79d322f4066

SHA512
f3a9e53341c6284a05230f3988807c989eff34035d7976c868edd0565d53bfcf22d8a9c69bed078e0c04182aaad750201872ee81c0a8954536db6bfacc836c5e

Download Submit
memory/836-374-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/840-347-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/848-226-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/848-232-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/848-217-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/848-229-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/1064-322-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1280-351-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1296-615-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1296-376-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1344-272-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1580-234-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1580-243-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1636-443-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1636-156-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/1636-163-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/1636-164-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1832-187-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1832-176-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/1832-170-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/1920-291-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2156-398-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2272-270-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2372-497-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2372-195-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2372-218-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2372-201-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2436-587-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2436-321-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2664-562-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2664-273-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2680-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2680-144-0x0000000002C80000-0x0000000002CE6000-memory.dmp

Filesize
408KB

Download
memory/2680-162-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2680-149-0x0000000002C80000-0x0000000002CE6000-memory.dmp

Filesize
408KB

Download
memory/2680-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2680-441-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3724-400-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3724-620-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3896-623-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3896-445-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4112-605-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4112-323-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4124-361-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4124-354-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4264-139-0x0000000007900000-0x000000000799C000-memory.dmp

Filesize
624KB

Download
memory/4264-133-0x0000000000B70000-0x0000000000CEA000-memory.dmp

Filesize
1.5MB

Download
memory/4264-134-0x0000000005E80000-0x0000000006424000-memory.dmp

Filesize
5.6MB

Download
memory/4264-135-0x00000000056E0000-0x0000000005772000-memory.dmp

Filesize
584KB

Download
memory/4264-136-0x0000000003250000-0x000000000325A000-memory.dmp

Filesize
40KB

Download
memory/4264-138-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/4264-137-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/4332-697-0x0000022063460000-0x0000022063470000-memory.dmp

Filesize
64KB

Download
memory/4332-669-0x0000022063460000-0x0000022063470000-memory.dmp

Filesize
64KB

Download
memory/4332-641-0x0000022063170000-0x0000022063180000-memory.dmp

Filesize
64KB

Download
memory/4332-642-0x0000022063190000-0x00000220631A0000-memory.dmp

Filesize
64KB

Download
memory/4332-643-0x00000220631A0000-0x00000220631B0000-memory.dmp

Filesize
64KB

Download
memory/4332-650-0x0000022063190000-0x00000220631A0000-memory.dmp

Filesize
64KB

Download
memory/4332-667-0x0000022063460000-0x0000022063470000-memory.dmp

Filesize
64KB

Download
memory/4332-668-0x0000022063460000-0x0000022063470000-memory.dmp

Filesize
64KB

Download
memory/4332-686-0x0000022063460000-0x0000022063470000-memory.dmp

Filesize
64KB

Download
memory/4332-687-0x0000022063460000-0x0000022063470000-memory.dmp

Filesize
64KB

Download
memory/4332-692-0x0000022063460000-0x0000022063470000-memory.dmp

Filesize
64KB

Download
memory/4332-698-0x0000022063460000-0x0000022063470000-memory.dmp

Filesize
64KB

Download
memory/4332-696-0x0000022063460000-0x0000022063470000-memory.dmp

Filesize
64KB

Download
memory/4332-695-0x0000022063460000-0x0000022063470000-memory.dmp

Filesize
64KB

Download
memory/4332-694-0x0000022063460000-0x0000022063470000-memory.dmp

Filesize
64KB

Download
memory/4332-693-0x0000022063460000-0x0000022063470000-memory.dmp

Filesize
64KB

Download
memory/4868-180-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4868-186-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4868-189-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4868-194-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4868-190-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4960-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4960-214-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4960-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4960-545-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5116-220-0x0000000005640000-0x0000000005650000-memory.dmp

Filesize
64KB

Download
memory/5116-204-0x0000000001200000-0x0000000001266000-memory.dmp

Filesize
408KB

Download